ChatGPT - Already a security risk?

Talking APTs, GPT, and a few other hot topics for secpros like you. [View this email in your browser]( SecPro #94: ChatGPT - Already a Security Risk? Hello! Thanks for all your feedback last week! It seems the _secpro audience is very confident that ChatGPT isn't just another passing fad, but something that is here to stay. However, not everyone is so confident. While we look over what ChatGPT is capable of, we thought we'd put a little something for the naysayers - the growing voice of discontent with AI/ML, which is a little concerned with the rate of growth and what that means for humanity. Now, you might dismiss this voice as [the kind of person who wants to live in the words, reading books about mathematics and French philosophy](. But it turns out that even industry leaders like [Elon Musk]( are telling us to put the brakes on. With that in mind, can we really afford to ignore the possible warning signs of something more sinister? Don't worry, though - we're not becoming LudditePro. Next week, we'll be following this up with an article on how you can get the most out of ChatGPT. Cheers! [Austin Miller]( Editor in Chief This week's highlights: - [ChatGPT - Already a security risk?]( - [APT #4 - Deputy Dog]( - [The Machine Learning for Cybersecurity Cookbook]( - [This Week's Survey]( And with that - on with the show! [_secpro]( [Packt _secpro Newsletter]( [The _secpro Website]( Reading from the UK or the US? Check out our offers on [Amazon.com]( and [Amazon.co.uk]( Food for Thought... [A Norton infographic concerning more people worrying about becoming a victim of cybercrime, including stolen identities and data privacy issues.]( As consumers become more and more worried about their data and the risk of a threat actor attack, do you expect to see an overall drop in the level of successful attacks? Increased anxiety over attacks might - with clear training - lead to better security practices which stop threats developing before they have a foot in the door. Do you agree? Let us know in the survey below! [TELL US WHAT YOU THINK!]( This Week's Editorial Articles [ChatGPT - Already a Security Risk?]( We investigate how sophisticated AI is already being turned against legitimate organizations, giving rise to easier phishing and malware production. [APT#4 - Deputy Dog]( We are getting close to the "medal positions" without APT countdown, so we are now looking at another Chinese threat actor group that you chose for the _secpro team to investigate. With information on the tools used, the known attacks launched by this group, and a range of suggestions for defending against attacks from Deputy Dog. Cybersecurity Fundamentals [Machine Learning for Cybersecurity Cookbook]( We're back with another excerpt from the [Machine Learning for Cybersecurity Cookbook]( This time, we're taking a look at how to tackle packed malware. For a full rundown on how to stuck into this problem, check out the book. [LIKE WHAT YOU SEE? CLICK HERE]( Tracking malware drift The distribution of malware is ever-changing. Not only are new samples released, but new types of viruses as well. For example, cryptojackers are a relatively recent breed of malware unknown until the advent of cryptocurrency. Interestingly, from a machine learning perspective, it's not only the types and distribution of malware that are evolving, but also their definitions, something known as concept drift. To be more specific, a 15 year-old virus is likely no longer executable in the systems currently in use. Consequently, it cannot harm a user, and is therefore no longer an instance of malware. By tracking the drift of malware, and even predicting it, an organization is better able to channel its resources to the correct type of defense, inoculating itself from future threats. Getting ready Preparation for this recipe involves installing the matplotlib, statsmodels, and scipy packages in pip. The command is as follows: pip install matplotlib statsmodels scipy How to do it... In this recipe, you will use a regression on time series to predict the distribution of malware based on historical data: - Collect historical data on the distribution of malware in your domain of interest: month0 = {"Trojan": 24, "CryptoMiner": 11, "Other": 36, "Worm": 29} month1 = {"Trojan": 28, "CryptoMiner": 25, "Other": 22, "Worm": 25} month2 = {"Trojan": 18, "CryptoMiner": 36, "Other": 41, "Worm": 5} month3 = {"CryptoMiner": 18, "Trojan": 33, "Other": 44, "Worm": 5} months = [month0, month1, month2, month3] - Convert the data into a separate time series for each class of malware: trojan_time_series = crypto_miner_time_series = worm_time_series = other_time_series = for month in months: trojan_time_series.append(month["Trojan"]) crypto_miner_time_series.append(month["CryptoMiner"]) worm_time_series.append(month["Worm"]) other_time_series.append(month["Other"]) - Import the moving average from statsmodels: from statsmodels.tsa.arima_model import ARMA - Predict the following month's distribution based on the time series using the moving average. ts_model = ARMA(trojan_time_series, order=(0, 1)) model_fit_to_data = ts_model.fit(disp=True) y_Trojan = model_fit_to_data.predict(len(trojan_time_series), len(trojan_time_series)) print("Trojan prediction for following month: " + str(y_Trojan[0]) + "%") The result for Trojans is as follows: Trojan prediction for following month: 21.699999876315772% We run the same method for Cryptominers: ts_model = ARMA(crypto_miner_time_series, order=(0, 1)) model_fit_to_data = ts_model.fit(disp=True) y_CryptoMiner = model_fit_to_data.predict( len(crypto_miner_time_series), len(crypto_miner_time_series) ) print("CryptoMiner prediction for following month: " + str(y_CryptoMiner[0]) + "%") We obtain the following prediction: CryptoMiner prediction for following month: 24.09999979660618% In the case of Worms, use the following code: ts_model = ARMA(worm_time_series, order=(0, 1)) model_fit_to_data = ts_model.fit(disp=True) y_Worm = model_fit_to_data.predict(len(worm_time_series), len(worm_time_series)) print("Worm prediction for following month: " + str(y_Worm[0]) + "%") We obtain the following prediction: Worm prediction for following month: 14.666665384131406% For other types of Malware, we use the following code: ts_model = ARMA(other_time_series, order=(0, 1)) model_fit_to_data = ts_model.fit(disp=True) y_Other = model_fit_to_data.predict(len(other_time_series), len(other_time_series)) print("Other prediction for following month: " + str(y_Other[0]) + "%") We obtain the following prediction: Other prediction for following month: 27.400000645620793% How it works… For instructive purposes, we produce a toy dataset representing the percentage of each type of malware in time (Step 1). With a larger amount of historical data, such a dataset can indicate where to channel your resources in the domain of security. We collect the data in one place and produce visualization plots (Step 2). We would like to perform simple forecasting, so we import ARMA, which stands for autoregressive–moving-average model, and is a generalization of the moving-average model. For simplicity, we specialize ARMA to moving average (MA). In Step 4, we employ MA to make a prediction on how the percentages of malware will evolve to the next time period. With a larger dataset, it is prudent to attempt different models, as well as create a train-test split that accounts for time. This will allow you to find the most explanatory model, in other words, the model that produces the most accurate time forecasts. Have You Tried...? Obfscuation is a valuable skill, so here's a few simple pieces to help you up your game. Especially useful for Windows users. - [danielbohannon/Invoke-Obfuscation]( - Obfuscation tool for PowerShell. - [danielbohannon/Revoke-Obfuscation]( - The blue team equivalent to Invoke Obfuscation. - [obfuscar/obfuscar]( - Need an obfuscation tool for .NET? Check this one out. - [mandiant/flare-floss]( - A simple tool for identifying and detangling obfuscated code in malware. [FORWARDED THIS EMAIL? SIGN UP HERE]( [NOT FOR YOU? UNSUBSCRIBE HERE]( Copyright © 2023 Packt Publishing, All rights reserved. As a GDPR-compliant company, we want you to know why you’re getting this email. The _secpro team, as a part of Packt Publishing, believes that you have a legitimate interest in our newsletter and the products associated with it. Our research shows that you opted-in for communication with Packt Publishing in the past and we think that your previous interest warrants our appropriate communication. If you do not feel that you should have received this or are no longer interested in _secpro, you can opt out of our emails using the unsubscribe link below. Our mailing address is: Packt Publishing Livery Place, 35 Livery StreetBirmingham, West Midlands, B3 2PB United Kingdom [Add us to your address book]( Want to change how you receive these emails? You can [update your preferences]( or [unsubscribe from this list](.